Santa is a binary authorization system for macOS, aptly named since its main purpose is to keep track of binaries that are either naughty or nice. Santa is made up of a kernel extension (or a system extension on macOS 10.15+) that monitors and participates in execve() decisions, a userland daemon that makes the execution decisions, a GUI agent that shows notifications when an execve() is blocked, and a command-line utility that oversees system management and the synchronization of database and server.
Santa is built to help protect users by stopping the spread of malware and analyzing what's running on a computer, but is by no means a total security system. Ideally Santa works as a part of a defense-in-depth strategy, and other measures should be in place to protect hosts.
Features
- Multiple modes for different cases
- Event logging
- Certificate-based rules, with override levels
- Path-based rules (via NSRegularExpression/ICU)
- Failsafe certificate rules
- In-kernel caching
- Userland components validate each other
- Kernel extension uses only provided KPIs